I'm writing about an issue that came up in Gentoo wrt coreutil's install
[1]. There we are working on moving PaX security markings [2] from our
systems' ELF program headers to an extended attribute field named
"user.pax.flags". The advantage of leaving the markings in the ELF the
way we had it is that they always travel with the executables/libraries,
but the disadvantage is that it makes our ELF objects less in line with
what you get on other linux distros with all the issues that come with that.

The problem we encountered is that for some packages, we need to do the
xattr pax markings *before* running install in our package management
system. For example we need to mark python to run correctly under a
kernel enforcing PaX. But we need to mark it before running tests and
therefore before install.

The problem comes because coreutil's install does not have a --preserve=
option like cp does. It does have --preserve-context for SELinux but
not a more general preserve option for extended attributes. In many
ways, xattr PaX markings follow the same design principles as SELinux
security labels.